US Again Indicts Chinese Intel Agents Over Hacking

Indictments against Chinese intelligence officers and associates may signal a breach of an agreement reached on intellectual property hacking between former President Barack Obama and Chinese President Xi Jinping. (Source: The White House)

The Justice Department says two Chinese intelligence officers and eight others were indicted for stealing trade secrets intended to help the country shortcut the development of a turbofan airplane engine plus other technology.

A grand jury indicted the group in June 2017, but the indictment was only filed in federal court in San Diego on Oct. 18. The department announced it on Tuesday.

The unsealed indictment

The indictment comes as tension over intellectual property hacking has risen again between the U.S. and China. That's despite a landmark agreement struck in September 2015 between U.S. President Barack Obama and Chinese President Xi Jinping, which aimed to put intellectual property off-limits for cyber spies (see: U.S., China Reach Cyber Agreement).

Prosecutors allege the group used a variety of techniques, ranging from spear phishing to malware to bogus look-a-like domains, to gain deep access into 13 companies, including Capstone Turbines of Los Angeles.

Most of the companies are unnamed aerospace suppliers. Two are in the U.K., one is in France and the rest are in U.S. states, including Arizona, Massachusetts, Oregon, Wisconsin and California. The hacking was allegedly aimed at allowing for the development of similar turbofan engines within China without incurring research and development costs.

The indictment marks the third time since September that the U.S has brought charges against Chinese intelligence officers and other associates for alleged theft of intellectual property.

Familiar Attack Playbook

The officers, Chai Meng and Zha Rong, work for the Jiangsu Province Ministry of State Security in Nanjing. The department is a provincial foreign intelligence arm of the People's Republic of China's Ministry of State Security, the Justice Department says.

The two men are accused of orchestrating an extensive scheme running between January 2010 to May 2015 that recruited other hackers to gain access to companies as well as recruiting insiders to plant malware.

They used a familiar playbook, the indictment indicates.

"The hackers used a range of techniques, including spear phishing, sowing multiple different strains of malware into company computer systems, using the victim companies' own websites as 'watering holes' to compromise website visitors' computers, and domain hijacking through the compromise of domain registrars," the indictment says.

The malware included Sakula, IsSpace, Winnti and PlugX.

'I'll Bring The Horse'

Chinese intelligence managed to recruit two employees of an unnamed French aerospace company that had an office in Suzhou, which is in Jiangsu province, prosecutors allege.

One of the men, Gu Gen, was the company's infrastructure and security manager, and another, Tian Xi, was a product manager. Both are named in the indictment.

Prosecutors allege that a Jiangsu Province Ministry of State Security officer met with Tian at a restaurant in Suzhou in mid-November 2013. Later that month, prosecutors say the officer set up a plan to meet Tian and give him Trojan horse malware to be installed on the French company's systems.

"I'll bring the [Trojan] horse to you tonight," the indictment quotes the intelligence officer as saying. "Can you take the Frenchmen out to dinner tonight? I'll pretend I bump into you at the restaurant to say hello. This way we don't need to meet in Shanghai."

In January 2014, Tian allegedly texted the intelligence officer: "The horse was planted this morning."

Recent Charges

On Oct. 10, the Justice Department announced that an alleged Chinese Ministry of State Security officer had been charged with economic espionage and attempting to steal trade secrets.

The man, Yanjun Xu, was arrested in Belgium and extradited to the U.S. He's accused of stealing data from "multiple U.S. aviation and aerospace companies."

Although computer security experts noticed a decline in Chinese activity following the agreement with the U.S in 2015, incidents such as the case against Xu suggest the environment is changing again.

In the press release about Xu's arrest, Assistant Attorney General for National Security John C. Demers said: "This case is not an isolated incident. It is part of an overall economic policy of developing China at American expense."

The Justice Department also says that in September, a U.S. Army recruit was charged with allegedly working "as an agent of a JSSD intelligence officer, without notification to the Attorney General."

About the Author

Kirk is a veteran journalist who has reported from more than a dozen countries. Based in Sydney, he is Managing Editor for Security and Technology for Information Security Media Group. Prior to ISMG, he worked from London and Sydney covering computer security and privacy for International Data Group. Further back, he covered military affairs from Seoul, South Korea, and general assignment news for his hometown paper in Illinois.

Operation Success!

Risk Management Framework: Learn from NIST

From heightened risks to increased regulations, senior leaders at all levels are pressured to
improve their organizations' risk management capabilities. But no one is showing them how -
until now.

Learn the fundamentals of developing a risk management program from the man who wrote the book
on the topic: Ron Ross, computer scientist for the National Institute of Standards and
Technology. In an exclusive presentation, Ross, lead author of NIST Special Publication 800-37
- the bible of risk assessment and management - will share his unique insights on how to:

Understand the current cyber threats to all public and private sector organizations;

Develop a multi-tiered risk management approach built upon governance, processes and
information systems;

Enter your email address to reset your password

Already have anISMG account?

Forgot Your Password Message:

Contact Us

Already have anISMG account?

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing careersinfosecurity.eu, you agree to our use of cookies.